Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Security Risk of Keyboard Clicks

Posted by simoniker on from the tap-tap-oops dept.

Gudlyf writes "First the blinking LED security issue, now this: listening to tell-tale keyboard clicks to decipher from afar what a person is typing. This isn't limited to just computer keyboards -- ATM's, telephone keypads, security doors, etc. Apparently with $200 worth of sound equipment and software, these keyboard clicks can be translated to within 80% accuracy. Of course, a whole lot of this is just theory."

10 of 361 comments (clear)

  1. Re:Great... by orangesquid · · Score: 4, Interesting

    Nah. Think about it: pressing different spots of your screen is like pressing down a guitar string at different points. You will cause the screen to resonate with a multitude of frequencies with distinct audio "fingerprints" for different points on the screen, which can also be picked up by very sensitive equipment.

    Sorry.

    --
    --TheOrangeSquid Is it any wonder things seem so awry? We swim in a sea of confusion and don't have to think to survive
  2. 80% accuracy can be useless... or not by shoppa · · Score: 4, Interesting
    80% accuracy is far from perfect. For instance, an OCR application that returned only 80% accuracy would probably be rejected by the vast majority of users, as this means hundreds of errors to be corrected per page.

    OTOH if all you want is a 6-character password, and it's typed a couple of times a day, then listening with 80% accuracy for a day may well be enough.

  3. New Technique for Wireless Keyboard by kelseyj · · Score: 3, Interesting

    This seems like this could be a new method of supporting wireless keyboards. No battery required!

    Place clever sig here

  4. Re:Great... by Aglassis · · Score: 4, Interesting

    The problem can be solved easy enough with a numeric keypad. Place seven-segment displays under the keys that are randomly orientated, like
    7 5 2
    4 3 1
    0 9 6
    8
    This solves the problem for ATMs. If you dim the LEDs and polarize the light, you would make it more difficult for a camera to find the password also. Obviously this only applies to a numeric keypad (for ATMs and the like) since it would be a pain in the ass to change the lettering dynamically on a keyboard (at least for the user). The solutions for those using keyboards could be as simple as using a smartcard with a PIN number (which you enter on the randomized 10 digit display). The sooner we get rid of the biggest security risk on computers IMHO (guessable passwords) the better.

    --
    Suddenly, the hairy finger of a familiar monkey tapped me on the shoulder. It was time.--G. T.
  5. Can be done by ear as well by shamir_k · · Score: 4, Interesting

    I had this teacher who also did some network consulting. He told us of a case where he knew somebody was logging on at a client's site using his password, but he couldn't figure out how his password was being hacked. He noticed that whenever he was logging in, a particular secretary used to hang around. He confronted her and she confessed to using his account. She was an experienced typist and claimed that she could figure out what he was typing by listening to the keystrokes a few times.

    --
    more about me
    1. Re:Can be done by ear as well by HD+Webdev · · Score: 3, Interesting

      He confronted her and she confessed to using his account. She was an experienced typist and claimed that she could figure out what he was typing by listening to the keystrokes a few times.

      I had a friend in high school that claimed he could translate tty-38 typing even with the high background noise level those machines made in the computing rooms.

      He demonstrated this by falsely calling in for support and writing down username/password combinations when the techs would show up and use their remote passwords. He'd then gain access to those accounts and snoop around for access to other accounts & systems. We watched him do it. Unless he was tricking us by using user/passwords he already knew, he really could hear it.

      We thought he was really cool until he gained accessed to something he shouldn't and MIB came for him.

      --
      This is not a dream, not a dream...we are transmitting from the year 1-9-9-9.
  6. IT professionals: don't ignore this by jrm228 · · Score: 5, Interesting
    It's easy to dismiss this right out, but for people who follow the intelligence industry this isn't new. Spooks can already listen to conversations through windows with lasers that measure vibration, and use filter technology to eliminate relatively constant background noise (e.g. a shower running). Combine that with some keyboard listening technology that's been in development for a long time: (see BBC 2001 reference) and suddenly IT security becomes a lot more interesting.

    As IT pros, this should have a significant impact on how you think about your IT security policies. Strong password policies are still important, but this further exaggerates the need for strong physical security for all your terminals and surrounding areas.

  7. This technology was bound to emerge by Handover+Slashdot · · Score: 5, Interesting

    For many years, navy submarines have been able to identify surface ships by the sounds of their props. Not just the type, but the exact ship. Why couldn't this be applied to keyboards, especially if you monitor the particular typist for a while?

  8. Re:Great... by gUmbi · · Score: 4, Interesting

    Of course you could just have the software randomize the location of the numbers each time.

    I came across this type of device when entering a bank building. You had to enter a 6-digit code into a keypad to unlock the door. Each key was a tiny LCD display and the location of each digit was randomized for each use.

  9. Background noise would not help by lxt · · Score: 3, Interesting

    I'm afraid you're incorrect to say playing background noise would help. General background noise - even completely randomised white noise - won't be a problem for an incredibly sensitive microphone. Decent (OK, incredibly expensive) rifle mics are exceedingly directional, eliminating any noise from the sides.

    If you were to train a rifle mic direct at a keyboard from say, 20 metres away in a very busy work environment you could easily pick it up. You can also use a basic 32 band EQ to remove most noise outside of the keyboard clicking frequency.

    Background noise isn't really a problem - it's truly amazing what you can do with the correct equipment. For example, the USSR bugged a US embassy by donating an wall mounted American seal. It was sweeped for bugs, and nothing found. This was because there wasn't actually a bug in there - just a simple thin wire, that would vibrate with speech. The USSR then used a highly directional microphone across the street trained at the seal. They were then able to take the vibrations of the wire, and enhance them into speech.

    And that was around 20 years ago, long before the sound digital enhancement techniques of today.

    So I'll sleep well, but in the knowledge that background noise ain't going to help me that much. To stop keyboard noises the noise would have to be so loud you probably wouldn't be able to work anyway.